From 3ab0f9a943a2b426a61798763829da0d0be928cb Mon Sep 17 00:00:00 2001 From: AdamWang-TrendMicro <112366146+AdamWang-TrendMicro@users.noreply.github.com> Date: Fri, 28 Jul 2023 16:37:19 +1000 Subject: [PATCH] Fix account settings: rule extraSettings item (#62) * Fix bug for account-settings tags field in extraSettings * Update the example of aws account rule settings * Update doc --- conformity/account_settings.go | 12 +- conformity/rule_settings_schema.go | 9 +- docs/resources/conformity_aws_account.md | 36 +++ example/aws/account.tf | 302 +++++++++++++---------- 4 files changed, 224 insertions(+), 135 deletions(-) diff --git a/conformity/account_settings.go b/conformity/account_settings.go index 447c7f0..4bc0595 100644 --- a/conformity/account_settings.go +++ b/conformity/account_settings.go @@ -127,6 +127,9 @@ func flattenExtraSettings(extra []*cloudconformity.RuleSettingExtra) []interface e["multiple_object_values"] = flattenRuleMultipleObject(values[0].(map[string]interface{})) + case "tags": + e["tags"] = expandStringList(values) + default: e["values"] = flattenRuleValues(values) @@ -398,7 +401,6 @@ func processRuleExtraSettings(es []interface{}) []cloudconformity.RuleSettingExt switch extraSetting[i].Type { case "single-string-value", "single-number-value", "ttl", "single-value-regex": - extraSetting[i].Value = item["value"].(string) case "regions": @@ -407,6 +409,14 @@ func processRuleExtraSettings(es []interface{}) []cloudconformity.RuleSettingExt regions := true extraSetting[i].Regions = ®ions + case "ignored-regions": + + extraSetting[i].Values = expandStringList(item["regions"].(*schema.Set).List()) + + case "tags": + + extraSetting[i].Values = expandStringList(item["tags"].(*schema.Set).List()) + case "multiple-object-values": extraSetting[i].Values = processRuleMultipleIp(item["multiple_object_values"].(*schema.Set).List()) diff --git a/conformity/rule_settings_schema.go b/conformity/rule_settings_schema.go index c6dc7a3..a45da05 100644 --- a/conformity/rule_settings_schema.go +++ b/conformity/rule_settings_schema.go @@ -56,7 +56,7 @@ func ExtraSettingSchema() *schema.Schema { Required: true, ValidateFunc: validation.StringInSlice([]string{"multiple-string-values", "multiple-number-values", "multiple-aws-account-values", "choice-multiple-value", "choice-single-value", "single-number-value", "single-string-value", "ttl", "single-value-regex", "tags", - "countries", "multiple-ip-values", "regions", "multiple-object-values", "multiple-vpc-gateway-mappings"}, true), + "countries", "multiple-ip-values", "regions", "ignored-regions", "multiple-object-values", "multiple-vpc-gateway-mappings"}, true), }, "value": { Type: schema.TypeString, @@ -71,6 +71,13 @@ func ExtraSettingSchema() *schema.Schema { // region should follow the correct syntax }, }, + "tags": { + Type: schema.TypeSet, + Optional: true, + Elem: &schema.Schema{ + Type: schema.TypeString, + }, + }, "multiple_object_values": { Type: schema.TypeSet, Optional: true, diff --git a/docs/resources/conformity_aws_account.md b/docs/resources/conformity_aws_account.md index 921e9ca..7e2136e 100644 --- a/docs/resources/conformity_aws_account.md +++ b/docs/resources/conformity_aws_account.md @@ -142,6 +142,42 @@ resource "conformity_aws_account" "aws" { } } } + // implement ignored-regions + rule { + rule_id = "Config-001" + settings { + enabled = true + risk_level = "HIGH" + + extra_settings { + name = "ignoredRegions" + regions = [ + "ap-southeast-2", + "us-west-2", + "us-east-2" + ] + type = "ignored-regions" + } + } + } + // implement tags + rule { + rule_id = "CWE-002" + settings { + enabled = true + risk_level = "HIGH" + + extra_settings { + name = "accountTags" + tags = [ + "Ta1", + "Ta2", + "Ta3" + ] + type = "tags" + } + } + } } } ``` diff --git a/example/aws/account.tf b/example/aws/account.tf index 618ed76..e2bd456 100644 --- a/example/aws/account.tf +++ b/example/aws/account.tf @@ -1,143 +1,179 @@ resource "conformity_aws_account" "aws" { - name = "aws-conformity" - environment = "development" - role_arn = "${aws_cloudformation_stack.cloud-conformity.outputs["CloudConformityRoleArn"]}" - external_id = data.conformity_external_id.external.external_id - tags = ["development"] - - settings { - rule { - rule_id = "S3-021" + name = "aws-conformity" + environment = "development" + role_arn = aws_cloudformation_stack.cloud-conformity.outputs["CloudConformityRoleArn"] + external_id = data.conformity_external_id.external.external_id + tags = ["development"] - settings { - enabled = false - risk_level = "HIGH" - rule_exists = false - } - } - // implement value - rule { - rule_id = "RDS-018" - settings { - enabled = true - risk_level = "MEDIUM" - rule_exists = false - exceptions { - tags = [ - "mysql-backups", - ] - } - extra_settings { - name = "threshold" - type = "single-number-value" - value = "90" - } - } + settings { + rule { + rule_id = "S3-021" + + settings { + enabled = false + risk_level = "HIGH" + rule_exists = false + } + } + // implement value + rule { + rule_id = "RDS-018" + settings { + enabled = true + risk_level = "MEDIUM" + rule_exists = false + exceptions { + tags = [ + "mysql-backups", + ] } - // implement multiple values - rule { - rule_id = "SNS-002" - settings { - enabled = true - risk_level = "MEDIUM" - rule_exists = false - exceptions { - tags = [ - "some_tag", - ] - } - extra_settings { - name = "conformityOrganization" - type = "choice-multiple-value" - values { - enabled = false - label = "All within this Conformity organization" - value = "includeConformityOrganization" - } - values { - enabled = true - label = "All within this AWS Organization" - value = "includeAwsOrganizationAccounts" - } - } - } + extra_settings { + name = "threshold" + type = "single-number-value" + value = "90" } - // implement regions - rule { - rule_id = "RTM-008" - settings { - enabled = true - risk_level = "MEDIUM" - rule_exists = false - extra_settings { - name = "authorisedRegions" - regions = [ - "ap-southeast-2", - "eu-west-1", - "us-east-1", - "us-west-2", - ] - type = "regions" - } - } + } + } + // implement multiple values + rule { + rule_id = "SNS-002" + settings { + enabled = true + risk_level = "MEDIUM" + rule_exists = false + exceptions { + tags = [ + "some_tag", + ] } - // implement multiple_object_values - rule { - rule_id = "RTM-011" - settings { - enabled = true - risk_level = "MEDIUM" - rule_exists = false - extra_settings { - name = "patterns" - type = "multiple-object-values" - multiple_object_values { - event_name = "^(iam.amazonaws.com)" - event_source = "^(IAM).*" - user_identity_type = "^(Delete).*" - } - } - } + extra_settings { + name = "conformityOrganization" + type = "choice-multiple-value" + values { + enabled = false + label = "All within this Conformity organization" + value = "includeConformityOrganization" + } + values { + enabled = true + label = "All within this AWS Organization" + value = "includeAwsOrganizationAccounts" + } + } + } + } + // implement regions + rule { + rule_id = "RTM-008" + settings { + enabled = true + risk_level = "MEDIUM" + rule_exists = false + extra_settings { + name = "authorisedRegions" + regions = [ + "ap-southeast-2", + "eu-west-1", + "us-east-1", + "us-west-2", + ] + type = "regions" } - // implement mappings - rule { - rule_id = "VPC-013" - settings { - enabled = true - risk_level = "LOW" - rule_exists = false - extra_settings { - name = "SpecificVPCToSpecificGatewayMapping" - type = "multiple-vpc-gateway-mappings" - // can be multiple mappings - mappings { - // can be multilple value - // if mappings is declared, values is required - values { - // name is required - // type is required - name = "gatewayIds" - type = "multiple-string-values" - // can be one of this value/values - values { - // value is required - // validation value should start with nat- - value = "nat-001" - } - values { - value = "nat-002" - } - } - values { - name = "vpcId" - type = "single-string-value" - // can be one of this value/values - // validation value should start with vpc- - value = "vpc-001" - } - } - } + } + } + // implement multiple_object_values + rule { + rule_id = "RTM-011" + settings { + enabled = true + risk_level = "MEDIUM" + rule_exists = false + extra_settings { + name = "patterns" + type = "multiple-object-values" + multiple_object_values { + event_name = "^(iam.amazonaws.com)" + event_source = "^(IAM).*" + user_identity_type = "^(Delete).*" + } + } + } + } + // implement mappings + rule { + rule_id = "VPC-013" + settings { + enabled = true + risk_level = "LOW" + rule_exists = false + extra_settings { + name = "SpecificVPCToSpecificGatewayMapping" + type = "multiple-vpc-gateway-mappings" + // can be multiple mappings + mappings { + // can be multilple value + // if mappings is declared, values is required + values { + // name is required + // type is required + name = "gatewayIds" + type = "multiple-string-values" + // can be one of this value/values + values { + // value is required + // validation value should start with nat- + value = "nat-001" + } + values { + value = "nat-002" + } } + values { + name = "vpcId" + type = "single-string-value" + // can be one of this value/values + // validation value should start with vpc- + value = "vpc-001" + } + } + } + } + } + // implement ignored-regions + rule { + rule_id = "Config-001" + settings { + enabled = true + risk_level = "HIGH" + + extra_settings { + name = "ignoredRegions" + regions = [ + "ap-southeast-2", + "us-west-2", + "us-east-2" + ] + type = "ignored-regions" + } + } + } + // implement tags + rule { + rule_id = "CWE-002" + settings { + enabled = true + risk_level = "HIGH" + + extra_settings { + name = "accountTags" + tags = [ + "Ta1", + "Ta2", + "Ta3" + ] + type = "tags" } + } } + } }